| Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule |
Firewall Policy
From part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.
By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.
Step-by-step
Next, I will create a new web access rule for all users in internal network to access internet(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.
- Open ISA Server Management. Expand server name(in this example, BKKFRW001) -> Right click on Firewall Policy -> New -> Access Rule.
- New Access Rule Wizard appears, enter the name of access rule. Click Next.
- On Rule Action, select Allow. Click Next.
- On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.
- On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.
- On Access Rule Destinations, add External network.
- On User Sets, leave All Users. Click Next.
- Click Finish to complete create new rule.
- Again, don’t forget to apply your setting on ISA Server to take effect. Click Apply.
- Next part will be about client configuration to access to ISA Server.
July 29th, 2008 at 3:13 pm
Dear Linglom.com Team,
your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
thanks
Qazzafi,
System and Network Administrator,
Govt. of Punjab, Pakistan.
August 25th, 2008 at 11:44 am
Hi, You did a very nice guide for ISA Server.
May i ask you something?
I am new to use this ISA Server, running on ISA Server need to install or run any programs like SQL server or other software?
August 27th, 2008 at 3:27 pm
By default, ISA Server 2006 will automatically installed MSDE as a database system. You can change this configuration after installation.
Also, ISA Server 2006 must be installed on Windows Server 2003. For more information, see this reference: ISA Server 2006 System Requirements
If you’re new to ISA Server, you can try trial version at Internet Security and Acceleration (ISA) Server 2006 180-Day Trial Version
October 8th, 2008 at 4:55 pm
How can I configure ISA server via ssh cmd command line?
October 8th, 2008 at 4:56 pm
I’m only able to access the server via ssh right now that is why I’m asking
October 9th, 2008 at 4:46 am
Ambedo good question I think linglom is doing on a private network and people should take care when working on remote servers. Make sure to plan and setup this prior to put ISA on the server. Myself I used a vpn tunnel with rqs/rqc for remote install from a technet tutorial.
November 8th, 2008 at 7:58 pm
Dear Linglom;
Thanks for your useful info you are publshing and useful contribution.
I succeeded in installing the ISA server 2006 and to create a web access rule, and now internet is working fine for clients, note that client type I am using is Web proxy client. but when I came to outlook usage, I created POP3 and SMTP rules to allow, but still not working.
Then I changed my clinet type to firewall client and still not working,,so any one can help please?
also any way to use POP3 and SMTP on web proxy client without needs to firewall client?
regards;
November 9th, 2008 at 10:47 am
Hi, Waleedd
I think it depends on the mail server. Some use different protocols. For instance, Hotmail uses HTTP instaed of POP3 and SMTP. On Outlook, select Tools -> Accounts -> select Mail tab. You’ll see the existing list of mail accounts. Try double one and select the Servers tab, you’ll see what protocols it was configured to use.
Also, Outlook shares Internet Connection with Internet Explorer. So you don’t need to install firewall client if you have already configured proxy in the Internet Explorer.
November 10th, 2008 at 12:37 pm
Dear Linglom…
I’m new to the server configurations and your site is very useful to people like me.The screenshots with explanation is very much helpful.Thanks for the great site…Thanks a lot..
Ranjith.
November 10th, 2008 at 6:58 pm
Dear Linglom;
Thanks for your attention. I found it uses pop3 and SMTP. the strange thing is that the rule I create worked with outlook express and didn’t work with Microsoft office outlook ??!!! and also it worked when the firewall client existing, but when I removed it it didn’t work even for outlook express. further more it happened also for the messenger, that when I configured an allow rule for MSN messenger, it work only when the firewall client installed on the clients PC??? do you have any suggestions please?
Thanks for your help and support.
Waleedd;
November 10th, 2008 at 7:21 pm
To Waleedd,
You have to check that Microsoft office outlook has already configured to use the same protocols as outlook express or not. I never use it so you have to try by yourself.
About firewall client, have you re-configured the Internet Explorer proxy (web proxy client) after you uninstalled the firewall client? For MSN Messenger, you can troubleshoot it in Options -> Connection.
November 11th, 2008 at 1:04 am
Hi Linglom;
I am very appreciating your support and help;
I had found a solution for ISA and outlook probelm as a small setting you should allow in ISA management tool, below link is a forum @ isaserver.org describing the same problem and solution suggestions:
http://forums.isaserver.org/External_POP3_%26_SMTP/m_2002076137/tm.htm
and the below link is an article @ isaserver.org holds the solution for the problem:
http://www.isaserver.org/articles/2004olpop3smtp.html
Thanks again;
Waledd;
November 11th, 2008 at 6:44 am
We already have a firewall set up on our network - is it Possible to turn off the firewall on the isa server and just use it as a cash Proxy server. hat i am after is internet speed which I am getting but sometimes the isa is blocking web sights and is interupting classroom school time.
Thanks for your time
November 12th, 2008 at 9:09 pm
You can configure ISA Server as a proxy server by using Single Network Adapter Template. This template, ISA Server requires only a single network adapter and it may used for web proxy, caching, etc.
But I’ve never try this template. For more information about the template, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at TechNet - Microsoft.